Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 190b6ff3c4
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
configuring-es.asciidoc

configuring-es.asciidoc 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. [role="xpack"]
    2. 

  2. [[configuring-security]]
    3. 

  3. == Configuring security in {es}
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Configuring security</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. The {es} {security-features} enable you to easily secure a cluster. You can
    9. 

  9. password-protect your data as well as implement more advanced security measures
    10. 

  10. such as encrypting communications, role-based access control, IP filtering, and
    11. 

  11. auditing. For more information, see
    12. 

  12. <<elasticsearch-security>>.
    13. 

  13. 

  14. . Verify that you are using a license that includes the specific
    15. 

  15. {security-features} you want.
    16. 

  16. +
    17. 

  17. --
    18. 

  18. For more information, see https://www.elastic.co/subscriptions and
    19. 

  19. {stack-ov}/license-management.html[License management].
    20. 

  20. --
    21. 

  21. 

  22. . Verify that the `xpack.security.enabled` setting is `true` on each node in
    23. 

  23. your cluster. If you are using basic or trial licenses, the default value is `false`.
    24. 

  24. For more information, see <<security-settings>>.
    25. 

  25. 

  26. . If you plan to run {es} in a Federal Information Processing Standard (FIPS) 
    27. 

  27. 140-2 enabled JVM, see <<fips-140-compliance>>. 
    28. 

  28. 

  29. . <<configuring-tls,Configure Transport Layer Security (TLS/SSL) for internode-communication>>.
    30. 

  30. +
    31. 

  31. --
    32. 

  32. NOTE: This requirement applies to clusters with more than one node and to
    33. 

  33. clusters with a single node that listens on an external interface. Single-node
    34. 

  34. clusters that use a loopback interface do not have this requirement.  For more
    35. 

  35. information, see
    36. 

  36. <<encrypting-communications>>.
    37. 

  37. 

  38. --
    39. 

  39. 

  40. . If it is not already running, start {es}.
    41. 

  41. 

  42. . Set the passwords for all built-in users.
    43. 

  43. +
    44. 

  44. --
    45. 

  45. The {es} {security-features} provide
    46. 

  46. <<built-in-users,built-in users>> to
    47. 

  47. help you get up and running. The +elasticsearch-setup-passwords+ command is the
    48. 

  48. simplest method to set the built-in users' passwords for the first time.
    49. 

  49. 

  50. For example, you can run the command in an "interactive" mode, which prompts you
    51. 

  51. to enter new passwords for the built-in users:
    52. 

  52. 

  53. [source,shell]
    54. 

  54. --------------------------------------------------
    55. 

  55. bin/elasticsearch-setup-passwords interactive
    56. 

  56. --------------------------------------------------
    57. 

  57. 

  58. For more information about the command options, see <<setup-passwords>>.
    59. 

  59. 

  60. IMPORTANT: The `elasticsearch-setup-passwords` command uses a transient bootstrap
    61. 

  61. password that is no longer valid after the command runs successfully. You cannot
    62. 

  62. run the `elasticsearch-setup-passwords` command a second time. Instead, you can
    63. 

  63. update passwords from the **Management > Users** UI in {kib} or use the security
    64. 

  64. user API.
    65. 

  65. 

  66. --
    67. 

  67. 

  68. . Choose which types of realms you want to use to authenticate users.
    69. 

  69. +
    70. 

  70. --
    71. 

  71. TIP: The types of authentication realms that you can enable varies according to
    72. 

  72. your subscription. For more information, see https://www.elastic.co/subscriptions.
    73. 

  73.  
    74. 

  74. --
    75. 

  75. ** <<configuring-ad-realm,Active Directory realms>>
    76. 

  76. ** <<file-realm,File realms>>
    77. 

  77. ** <<kerberos-realm,Kerberos realms>>
    78. 

  78. ** <<ldap-realm,LDAP realms>>
    79. 

  79. ** <<native-realm,Native realms>>
    80. 

  80. ** <<pki-realm,PKI realms>>
    81. 

  81. ** <<saml-realm,SAML realms>>
    82. 

  82. 

  83. . Set up roles and users to control access to {es}.
    84. 

  84. +
    85. 

  85. --
    86. 

  86. For example, to grant _John Doe_ full access to all indices that match
    87. 

  87. the pattern `events*` and enable them to create visualizations and dashboards
    88. 

  88. for those indices in {kib}, you could create an `events_admin` role
    89. 

  89. and assign the role to a new `johndoe` user.
    90. 

  90. 

  91. [source,shell]
    92. 

  92. ----------------------------------------------------------
    93. 

  93. curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{
    94. 

  94.   "indices" : [
    95. 

  95.     {
    96. 

  96.       "names" : [ "events*" ],
    97. 

  97.       "privileges" : [ "all" ]
    98. 

  98.     },
    99. 

  99.     {
    100. 

  100.       "names" : [ ".kibana*" ],
    101. 

  101.       "privileges" : [ "manage", "read", "index" ]
    102. 

  102.     }
    103. 

  103.   ]
    104. 

  104. }'
    105. 

  105. 

  106. curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{
    107. 

  107.   "password" : "userpassword",
    108. 

  108.   "full_name" : "John Doe",
    109. 

  109.   "email" : "john.doe@anony.mous",
    110. 

  110.   "roles" : [ "events_admin" ]
    111. 

  111. }'
    112. 

  112. ----------------------------------------------------------
    113. 

  113. // NOTCONSOLE
    114. 

  114. --
    115. 

  115. 

  116. . [[enable-auditing]](Optional) Enable auditing to keep track of attempted and
    117. 

  117. successful interactions with your {es} cluster:
    118. 

  118. +
    119. 

  119. --
    120. 

  120. TIP: Audit logging is available with specific subscriptions. For more
    121. 

  121. information, see https://www.elastic.co/subscriptions.
    122. 

  122. 

  123. .. Add the following setting to `elasticsearch.yml` on all nodes in your cluster:
    124. 

  124. +
    125. 

  125. [source,yaml]
    126. 

  126. ----------------------------
    127. 

  127. xpack.security.audit.enabled: true
    128. 

  128. ----------------------------
    129. 

  129. +
    130. 

  130. For more information, see <<auditing>> and <<auditing-settings>>. 
    131. 

  131. 

  132. .. Restart {es}.
    133. 

  133. 

  134. Events are logged to a dedicated `<clustername>_audit.json` file in
    135. 

  135. `ES_HOME/logs`, on each cluster node.
    136. 

  136. --
    137. 

  137. 

  138. To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see <<security-getting-started>>.
    139. 

  139. 

  140. include::authentication/configuring-active-directory-realm.asciidoc[]
    141. 

  141. 

  142. include::reference/files.asciidoc[]
    143. 

  143. include::fips-140-compliance.asciidoc[]
    144. 

  144.